Note that since I'm a n00b at git and I didn't realize new commits to my tree would end up in the same pull request, there's a 3d commit that adds a 5th parameter to createCert(). now the function sig looks like:

dcrypt.x509.createCert(bitSize, days, serial, entries, extensions);

(Apparently browsers hate seeing the same serial on certs signed by a common CA.)